Security and Deployment Diagrams Quiz

Questions and Answers

What should administrators identify first to ensure security objectives?

Specific quality-of-service requirements

Key components of the application

What data should be protected (correct)

Communication ports and protocols

Which of the following elements is NOT included in the deployment diagram?

External dependencies

Communication ports and protocols

User roles and permissions (correct)

End-to-end deployment topology

When determining key usage scenarios, what should administrators rely on?

Compliance requirements

Operating systems in use

Use cases of the application (correct)

External dependencies

Which aspect is important for identifying technologies used in an application?

Database server software

What best describes the purpose of drawing a deployment diagram?

To explain the workings and structure of the application

Which question helps identify higher-privileged groups of users?

Who can delete data?

Why is it important to know about external dependencies in a deployment scenario?

To focus on technology-specific threats

Which of the following is a key component of identifying security objectives?

Assess intangible assets to protect

Which mechanism primarily ensures that only authorized users can access a system?

Authorization and authentication

What is the significance of identifying trust boundaries in an application?

To know where trust levels change

In the context of application security, what is the purpose of monitoring auditing and logging?

To track user activities and potential security incidents

Which of the following would NOT typically be involved in effective configuration management?

Data flow analysis

What is a key aspect of session management in application security?

Maintaining the state of user interactions

Parameter manipulation is a threat model that primarily affects which aspect of security?

Input validation processes

Which application security mechanism is essential for ensuring the confidentiality of sensitive data?

Cryptography

Why is it important to identify data flows within an application?

To understand communication with external systems

Which of the following is NOT a task involved in patch management?

Designing new applications

What is a key benefit of implementing a Web Application Firewall (WAF)?

Securing existing web applications

Which tool is NOT listed as a patch management tool?

Norton Antivirus

How does a Web Application Firewall (WAF) assist with compliance?

By illustrating compliance with regulatory standards

Which of the following tasks is included in the process of patch management?

Assigning and deploying patches

What is the primary goal of threat modeling in application security?

To identify key vulnerabilities in an application’s design

Which of the following is essential in secure application design?

Adhering to established security standards

Which aspect is NOT typically covered by secure coding practices?

Code performance optimization

What is a key benefit of understanding software security standards?

Ensures compliance with safety regulations

What approach enhances secure application deployment?

Automating deployment processes

Which technique is used for testing application security?

Static code analysis

How does understanding secure application architecture contribute to security?

It helps in identifying security relevant components

What is the main purpose of secure application development automation?

To streamline the development workflow

Which of the following best describes secure application design?

Incorporating security measures from the start

What role does application security testing play in software development?

It helps to identify vulnerabilities before deployment

What is one primary purpose of application whitelisting in cybersecurity?

To block applications not included in a predefined list

How does application whitelisting help mitigate zero-day attacks?

It restricts the execution of applications that could exploit vulnerabilities

What impact does application whitelisting have on computer efficiency?

It increases efficiency by preventing unauthorized applications from running

What benefit does application whitelisting provide regarding bandwidth usage?

It restricts non-essential applications to reclaim bandwidth

Which statement reflects a legal advantage of application whitelisting?

It avoids lawsuits related to the use of licensed applications

In what way does application whitelisting enhance visibility for organizations?

It tracks all applications, running or blocked, on company systems

How does application whitelisting compare to traditional antivirus programs?

It is independent of periodic application updates

What is one way application whitelisting reduces the attack surface?

By blocking unauthorized changes and access to applications

Which of the following settings should be selected to disable Local Group Policy Objects Processing?

Turn Off Local Group Policy Objects Processing

What is the purpose of applying Software Restriction Policies?

To restrict unwanted software execution

What does setting the properties of 'Unrestricted' security level allow?

Permits all software executions without any restrictions

Which application is NOT listed as a tool for application whitelisting and blacklisting?

SHADE Sandbox

Which of the following applications is associated with application sandboxing?

BUFFERZONE

What is the principal purpose of patch management in cybersecurity?

To manage software updates and vulnerabilities

Which of the following statements accurately describes application sandboxing?

It isolates applications to prevent system harm

Which tool allows for advanced application control and monitoring?

Ivanti Application Control

Disabling which of the following settings can help in maintaining a secure environment?

Local Group Policy Objects Processing

Which of the following options should be chosen to apply security limitations to all users?

Enforce Software Restriction Policies

Study Notes

Certified Cybersecurity Technician (CCT)

• CCT is a certification offered by EC-Council
• It focuses on cybersecurity skills, labs, and exams
• The course is delivered by Emmanuel Ayam
• Includes various social media links for the instructor

Module 9: Application Security

• Application security involves managing and administering application security on networks and computers

• 9.1 What is a Secure Application

  • A secure application ensures confidentiality, integrity, and availability
  • A restricted resource is any object, data, feature or function designed to be accessed by authorized users
  • Authentication is the checking of the veracity of a secret
  • Authorization authorizes the user to use protected resources

•  9.2 Need for Application Security

  • Perimeter controls (firewalls, IDS) are not effective against application layer attacks
  • Ports 80 and 443 are typically open, allowing attackers to exploit application-level vulnerabilities

•  9.3 Application Security Administration

  • Protecting users from harmful applications
  • Preventing applications from creating or modifying executable files
  • Preventing applications from unnecessary resource access
  • Preventing applications from spawning into processes
  • Regularly updating and securely configuring applications

•  9.4 Application Security Frame

  • Includes input validation, authentication, authorization, configuration management, web servers
  • Includes application security frameworks, sensitive data protection, session management, cryptography
  • Includes securing the network (router, firewall, switch, IDS, IPS)
  • Includes securing the host

• 9.5 3W's in Application Security

  • Why: Applications are vulnerable to attacks due to global accessibility
  • Who: Managers, architects, developers, testers, and administrators are responsible for application security
  • What: Security is required at various stages during application development.

•  9.6 Secure Application Design and Architecture

  • Security negligence during design and architecture can lead to expensive problems
  • Security vigilance early on detects potential flaws
  • Secure design is based on earlier SDLC requirements but can be challenging

•  9.7 Goal of Secure Design Process

  • Identifying threats for developers, designing an architecture addressing threats, and enforcing secure design principles

•  9.8 Secure Design Actions

  • Design the application according to security specifications
  • Define secure coding standards for implementational aspects
  • Perform threat modeling to identify threats
  • Design secure application architecture

•  9.9 Security Requirement Specifications

  • Software security requirements are non-functional requirements ensuring confidentiality, integrity and availability
  • Stakeholders often overlook security requirements, leading to vulnerabilities
  • Security requirements should be part of the strategic application development processes

•  9.10 Define Secure Design Principles

  • Security through obscurity, secure the weakest link, use least privilege principle, secure by default, apply defense in depth
  • Do not trust user input, reduce attack surface, enable auditing, keep security simple, and enforce separation of duties

•  9.11 Threat Modeling

  • Identifying, analyzing, and mitigating application threats
  • Structured development process
  • Iterative and performed early during design phase, to expose threats

•  9.12 Threat Modeling Helps To:

  • Identify relevant threats
  • Identify key vulnerabilities
  • Improve security design

•  9.13 Threat Modeling Process

  • To identify security objectives, application overview, decompose the application, identify threats, identify vulnerabilities - Risk and Impact Analysis, Identify threats and vulnerabilities 

•  9.14 Design Secure Application Architecture

  • A typical web application has three tiers (web, application, database)
  • Security at each tier is critical; one vulnerability can affect the entire system
  • Design with a defense in-depth principle (multi-tier security)

•  9.15 Secure Coding Practices: Input Validation

  • Verify user inputs against various criteria
  • Critical to prevent injection attacks on web applications

•  9.16 Secure Coding Practices: Parameterized Queries and Stored Procedures

  • Parameterized queries distinguish between code and data
  • Prevents attackers from manipulating query intent

•  9.17 Secure Coding Practices: Unicode Normalization

  • Unicode normalization ensures strings are equivalent based on chosen form
  • Necessary for web apps to avoid vulnerabilities like XSS

•  9.18 Secure Coding Practices: Output Encoding

  • Converts unsafe characters into equivalent encoded values
  • Prevents XSS attacks.

•  9.19 Secure Coding Practices: Error/Exception Handling

  • Properly handle unusual errors to prevent impacting system integrity/confidentiality/availability

•  9.20 Secure Coding Practices: Secure Session Cookies

  • Cookies store session-specific data
  • Implement mechanisms to create random session IDs
  • Do not store plaintext passwords in cookies
  • Employ cookie timeout and randomization

•  9.21 Secure Coding Practices: Secure Response Headers

  • Security headers improve web application / application security
  • HTTP Strict Transport Security (HSTS): Force usage of HTTPS
  • Content Security Policy (CSP): Protect from XSS, code injection, clickjacking
  • Cache Control: Manage caching mechanisms

•  9.22 Secure Coding Practices: Obfuscation/Camouflage

  • Making code harder to understand by those aiming to breach or reverse engineer
  • Altering the structural aspects or encrypting strings

•  9.23 Secure Coding Practices: Code Signing

  • Digital signatures validate software integrity during installation/execution
  • PKI (Public Key Infrastructure) is used for this verification

•  9.24 Application Security Testing Tools

  • Provides listing of tools to perform automated security testing

•  9.25 Static Application Security Testing (SAST)

  • Involves detailed, systematic source code inspection
  • Performed toward end of code development, when stable

•  9.26 Types of SAST

  • Automated source code analysis, manual source code review

•  9.27 Dynamic Application Security Testing (DAST)

  • Involves simulating attacks on a running application from 'outside' perspective
  • Security professionals or tools like Netsparker, Acunetix, or HCL AppScan are used

•  9.28 Types of DAST

  • Automated and Manual application security scanning

•  9.29 SAST vs. DAST

•  SAST testing involves reviewing the programming code, while DAST testing involves testing the application's behavior by trying things from a user or other systems' perspective

•  9.30 Web Application Fuzz Testing/Fuzzing

  • Quality checking for vulnerabilities by input manipulation
  • Employs random data or fuzzing to perform testing

•  9.31 Steps of Fuzz Testing

•  9.32 Application Whitelisting

  • Allows only approved applications to run, denying all others
  • Protect application assets from threats
  • Improve system visibility/reduce attack surface by limiting what can run

•  9.33 Advantages of Application Whitelisting

  • Prevents Malware attacks
  • Mitigates zero-day attacks
  • Reduce attack surface and improve security
  • Improve computational efficiency

•  9.34 Application Blacklisting

  • Denies access to specified applications
  • Easy to implement
  • Low maintenance

•  9.35 Disadvantages of Application Blacklisting

  • Limited in scope, cannot cover new types of threats
  • Not up-to-date with new attacks

•  9.36 Using AppLocker for Application Whitelisting

  • Windows in-built tool for controlling applications/executables/scripts
  • Allows the control of files/folders/paths

•  9.37 Using ManageEngine Desktop Central for Application Blacklisting

  • Desktop Central is a third-party application to manage and restrict blacklisted applications
  • Users can block executables, settings, and more

•  9.38 Prerequisites and Disabling Local Group Policy

  • Steps to enable/disable local group policy

•  9.39 Setting Security Levels

  • Use to set, define and apply security policies or levels

•  9.40 Prohibit Software Features

  • Management of prohibiting applications
  • Adding, managing and updating software to a prohibited list for managing executable files

•  9.41 Additional Application Whitelisting and Blacklisting Tools

  • List of tools that help perform additional whitelisting/blacklisting tasks

•  9.42 Application Sandboxing

  • Isolates applications in a separate container to protect system from malicious activities
  • Ensures that applications can't access important files/resources

•  9.43 Application Sandboxing Tools

  • List of different sandbox tools

•  9.44 What is Patch Management?

  • Fix known vulnerabilities by installing appropriate patches
  • Steps involved in patch management (Detect, Assess, Acquire, Test, Deploy, Maintain)

•  9.45 What is Patch Management?

  • Choosing, verifying, testing, and applying/updating patches
  • Listing, recording, and deploying patches

•  9.46 Patch Management Tools

  • List of tools to support patch management tasks

•  9.47 Web Application Firewall (WAF)

  • Secures web server from malicious traffic
  • Places a filter/proxy in front of web application to analyze traffic

•  9.48 Benefits of Web Application Firewall (WAF)

  • Secures existing and productive web applications
  • Minimizes workload for developers
  • Provides cookie security with encryption
  • Prevents cross-site request forgery

•  9.49 Configuring URLScan to Setup as WAF For IIS Server

  • Using Microsoft URLScan tool
  • Configuring URLScan criteria

•  9.50 Web Application Firewalls (WAFS) Solutions

  • List of different WAF solutions available

•  9.51 Bug Bounty Programs

  • Challenge programs to find vulnerabilities
  • Rewards given for reporting security flaws

•  9.52 Web Application Security Scanners

  • Tools for identifying web application vulnerabilities

•  9.53 Proxy-Based Security Testing Tools

  • Tools for security testing of applications that uses proxy-based testing of web application security tests

•  9.54 Web Server Footprinting Tools

  • Tools for footprinting web servers to identify vulnerabilities

• 9.55 Module Summary

  • Module's core concepts
  • Software security and secure coding
  • Secure application development process
  • Tools to improve application security

General Note

• Various URLs are provided for specific tools and resources.

Description

This quiz focuses on key concepts in security management and deployment diagrams. Participants will explore essential elements that administrators need to identify for effective application security and deployment. It covers scenarios, technologies, and external dependencies integral to the deployment process.